Merge branch 'main' into patch-1

apple · Sep 27, 2024 · efc8b51 · efc8b51
2 parents 0b63150 + 7038dc1
commit efc8b51
Show file tree

Hide file tree

Showing 16 changed files with 1,174 additions and 33 deletions.
diff --git a/.github/workflows/lint-scripts/websites-shared-credentials-sort-order.rb b/.github/workflows/lint-scripts/websites-shared-credentials-sort-order.rb
@@ -3,8 +3,8 @@
 def process_file(file_path)
   shared_websites = JSON.parse File.read(file_path)
   shared_websites_sorted = shared_websites.sort do |a, b|
-    a_string = a["shared"] ? a["shared"].first : (a["from"] ? a["from"].first : "")
-    b_string = b["shared"] ? b["shared"].first : (b["from"] ? b["from"].first : "")
+    a_string = a["shared"] || a["from"] || [""]
+    b_string = b["shared"] || b["from"] || [""]
     a_string <=> b_string
   end
 

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -57,10 +57,20 @@ When contributing or amending a set of websites sharing a credential backend, yo
 
 Use the website in question until you find the standalone page for updating the user's password, or a high-level "Account Information" or "Security" page. The closer the URL takes the user to be able to change their password, the better. Before adding a URL, ensure that it works properly both when the user is logged in and when they are not. URLs added to [`quirks/change-password-URLs.json`](quirks/change-password-URLs.json) should have a scheme of https unless the website does not allow changing the password on an https page.
 
+### Contributing to Apple Application IDs to Domains that Share Credentials
+
+On macOS, for app bundle `Example.app`, you can find the App ID by dumping its entitlements with `codesign -d --entitlements - --xml path/to/Example.app`. Its App ID is the value in the XML for key `com.apple.application-identifier`. For macOS apps in particular, if there is no App ID present, the effective App ID is the app's Bundle Identifier (`CFBundleIdentifier` in the app's `Info.plist`).
+
+When contributing or amending a set of websites for an App ID, you should state why you believe the domains do share a credential backend with the app, with evidence to support your claim.
+
 ### Contributing to Websites Where 2FA Code is Appended to Password
 
 When contributing or amending a set of websites that require that the user append a generated code to their password when signing in, you should state why you believe the relevant domains require such. This may involve citing a URL to the relevant support page for the website.
 
+### Contributing to Websites That Ask for Credentials for Other Services When Embedded as Third-party
+
+When contributing or amending the list of websites that when embedded as a third party, are known to ask for credentials for other services, you should provide evidence that the given website or websites behaves this way. This may involve a screenshot or steps to navigate a website to observe a subframe behaving this way.
+
 ### Contributing a New Kind of Quirk or Other Resource
 
 If you have a new type of quirk or another resource, that you feel that other password managers could use to improve users' experiences and make password management more attractive for people who aren't using a password manager, please [reach out](mailto:password-manager-resources-maintainers@apple.com) to this project's maintainers at Apple so we can discuss the details.

diff --git a/LICENSE.md b/LICENSE.md
@@ -1,4 +1,4 @@
-Copyright 2020 - 2022 Apple Inc.
+Copyright 2020 - 2024 Apple Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

diff --git a/README.md b/README.md
@@ -53,9 +53,29 @@ The [Contributing](CONTRIBUTING.md) document goes into detail on the format of t
 
 The file [`quirks/change-password-URLs.json`](quirks/change-password-URLs.json) contains a JSON object mapping domains to URLs where users can change their password. This is the quirks version of the [Well Known URL for Changing Passwords](https://github.com/w3c/webappsec-change-password-url). If a website adopts the Change Password URL, it should be removed from this list.
 
+### Apple App IDs to Domains that Share Credentials
+
+The file [`apple-appIDs-to-domains-shared-credentials.json`](quirks/apple-appIDs-to-domains-shared-credentials.json) expresses relationships between apps running on macOS, iOS, and iPadOS, and domains that use the same credentials. Information in this file is used by iOS and iPadOS (since version 17.4) and macOS (since version 14.4) for suggesting credentials in apps that do not have an [association with domains](https://developer.apple.com/documentation/xcode/supporting-associated-domains). The system AutoFill capability makes use of this information to improve the user experience of signing into these apps by giving users inline suggestions of the appropriate credentials when signing in. This works for all password managers that make use of the [Credential Provider Extension](https://support.apple.com/guide/security/credential-provider-extensions-sec6319ac7b9/web) mechanism.
+
+The JSON file is a map from [App Identifier](https://developer.apple.com/help/account/manage-identifiers/register-an-app-id/) to an array of domains. Domains should be ordered by prominence from most prominent to least. The apps do not need to be distributed on Apple's App Store.
+
+### Web Browser Extension Distribution Information
+
+The file [`web-browser-extension-distribution-information.json`](quirks/web-browser-extension-distribution-information.json) expresses relationships between web browsers and web browser extension storefronts.
+
+This information may be useful to any password manager with a web browser extension for the purpose of discovering installed web browsers where a user may want to install the password manager's extension.
+
+Information in this file is re-packaged by Apple for use in macOS Sequoia version 15.1 and above to limit the [Native Messaging Host](https://developer.chrome.com/docs/extensions/develop/concepts/native-messaging) of the iCloud Passwords extension to only communicate with known web browsers.
+
 ### Websites Where 2FA Code is Appended to Password
 
-The file [`quirks/websites-that-append-2fa-to-password.json`](quirks/websites-that-append-2fa-to-password.json) contains a JSON array of domains which use a two-factor authentication scheme where the user must append a generated code to their password when signing in. This list of websites could be used to prevent auto-submission of signin forms, allowing the user to append the 2FA code without frustration. It can also be used to suppress prompting to update a saved password when the submitted password is prefixed by the already-stored password.
+The file [`quirks/websites-that-append-2fa-to-password.json`](quirks/websites-that-append-2fa-to-password.json) contains a JSON array of domains which use a two-factor authentication scheme where the user must append a generated code to their password when signing in. This list of websites could be used to prevent auto-submission of sign-in forms, allowing the user to append the 2FA code without frustration. It can also be used to suppress prompting to update a saved password when the submitted password is prefixed by the already-stored password.
+
+### Websites That Ask for Credentials for Other Services When Embedded as Third-party
+
+The file [`quirks/websites-that-ask-for-credentials-for-other-services-when-embedded-as-third-party.json`](websites-that-ask-for-credentials-for-other-services-when-embedded-as-third-party.json) contains a JSON array of domains that, when embedded as a third party, are known to ask for credentials for other services. For example, some payment processors conduct transactions by being embedded in an `<iframe>` on a website. These payment processors may ask for banking credentials directly, without using OAuth.
+
+A password manager may wish to not offer to save a new password submitted in such an `<iframe>`, because the credentials are likely to not be for the service itself.
 
 ## Contributing
 

diff --git a/quirks/apple-appIDs-to-domains-shared-credentials.json b/quirks/apple-appIDs-to-domains-shared-credentials.json
@@ -0,0 +1,79 @@
+{
+    "P7SDVXUZPK.com.etrade.mobileproiphone": [
+        "etrade.com"
+    ],
+    "PPTA7G59L3.com.kpcu.architectmobile": [
+        "kpcu.com"
+    ],
+    "KPSFBM8T3Z.com.optum.mobile.OptumBank": [
+        "myuhc.com"
+    ],
+    "KPSFBM8T3Z.com.optumhealth.mobile.OptumRX": [
+        "myuhc.com"
+    ],
+    "UF8VKHMLML.com.uhg.mobile.uhc": [
+        "myuhc.com"
+    ],
+    "LJU5B5SR84.com.educationalccu.mobile": [
+        "onlinebank.com"
+    ],
+    "T5W6CQA35T.com.fis.447iPhoneSUB": [
+        "cit.com"
+    ],
+    "L6F2ZQ2MJV.com.metlife.us.business": [
+        "access.online.metlife.com",
+        "identity.metlife.com"
+    ],
+    "QDZLSW3Z22.com.leviton.home": [
+        "leviton.com"
+    ],
+    "3976U676H6.com.allegion.sense.store": [
+        "schlage.com"
+    ],
+    "G4K4BQ7S8J.com.backblaze.BzBackupBrowser": [
+        "backblaze.com"
+    ],
+    "J983T9Z6T6.com.birdbuddy.app": [
+        "mybirdbuddy.com"
+    ],
+    "M3Q8QUH343.com.getmysa.mysa": [
+        "getmysa.com"
+    ],
+    "ZRZ3QJN79B.com.dyson.dysonlink": [
+        "dyson.com"
+    ],
+    "com.backblaze.BackblazeDownloader": [
+        "backblaze.com"
+    ],
+    "K65HQ235M5.org.sutterhealth.myhealthonline": [
+        "sutterhealth.org"
+    ],
+    "T9984LC44E.com.whisker.ios": [
+        "litter-robot.com"
+    ],
+    "K832E2UXV7.com.riotgames.mobile.leagueconnect": [
+        "riotgames.com"
+    ],
+    "GN78YB727N.com.namecheap.iosapp": [
+        "namecheap.com"
+    ],
+    "8MQ82YZW32.com.travefy.go": [
+        "travefy.com"
+    ],
+    "39FN7MD5NR.com.elation.patientpassport": [
+        "elationpassport.com"
+    ],
+    "XUD5XM3X2G.com.vail.EpicMix": [
+        "epicpass.com"
+    ],
+    "UPS7472725.com.metrolinx.presto.ios.consumerapp": [
+        "prestocard.ca"
+    ],
+    "PX369MG78T.com.dmdbrands.balancehealth": [
+        "greatergoods.com"
+    ],
+    "498RNR3HN7.com.tdbank.iphoneapp": [
+        "td.com",
+        "tdbank.com"
+    ]
+}
diff --git a/quirks/change-password-URLs.json b/quirks/change-password-URLs.json
@@ -7,19 +7,42 @@
     "aarp.org": "https://secure.aarp.org/account/editaccount?request_locale=en&nu=t",
     "account.magento.com": "https://account.magento.com/customer/account/changepassword",
     "account.publishing.service.gov.uk": "https://www.account.publishing.service.gov.uk/account/edit/password",
+    "accounts.panic.com": "https://accounts.panic.com/password_set",
+    "acehardware.com": "https://www.acehardware.com/myaccount#settings",
     "acorns.com": "https://app.acorns.com/settings/change-password",
+    "adafruit.com": "https://accounts.adafruit.com/settings/password",
     "adobe.com": "https://account.adobe.com/security",
     "adultfriendfinder.com": "https://adultfriendfinder.com/p/update.cgi?p=my_account_update_account_password",
     "ae.com": "https://www.ae.com/myaccount",
+    "aeon.co.jp": "https://www.aeon.co.jp/app/settings/profile/password/",
     "aerlingus.com": "https://www.aerlingus.com/html/user-profile.html",
     "aesop.com": "https://www.aesop.com/my-account",
     "airnewzealand.com": "https://www.airnewzealand.com/membership/profile/security/password",
     "alaskaair.com": "https://www.alaskaair.com/www2/ssl/myalaskaair/myalaskaair.aspx?view=myinformation&tab=email",
     "aliexpress.com": "https://login.aliexpress.com/",
+    "allegro.pl": "https://allegro.pl/moje-allegro/moje-konto/logowanie-i-haslo",
     "alliantcreditunion.com": "https://www.alliantcreditunion.com/OnlineBanking/Settings/AccessAndSecurity/ChangePassword.aspx",
     "allianz.com.br": "https://www.allianz.com.br/alteracao-de-password-ecliente",
     "allrecipes.com": "https://www.allrecipes.com/account/profile#/change-password",
     "alternate.de": "https://www.alternate.de/html/myAccount/account/basicData.html",
+    "amazon.ae": "https://www.amazon.ae/ax/account/manage",
+    "amazon.ca": "https://www.amazon.ca/ax/account/manage",
+    "amazon.co.uk": "https://www.amazon.co.uk/ax/account/manage",
+    "amazon.com": "https://www.amazon.com/ax/account/manage",
+    "amazon.com.au": "https://www.amazon.com.au/ax/account/manage",
+    "amazon.com.br": "https://www.amazon.com.br/ax/account/manage",
+    "amazon.com.mx": "https://www.amazon.com.mx/ax/account/manage",
+    "amazon.com.tr": "https://www.amazon.com.tr/ax/account/manage",
+    "amazon.de": "https://www.amazon.de/ax/account/manage",
+    "amazon.es": "https://www.amazon.es/ax/account/manage",
+    "amazon.fr": "https://www.amazon.fr/ax/account/manage",
+    "amazon.in": "https://www.amazon.in/ax/account/manage",
+    "amazon.it": "https://www.amazon.it/ax/account/manage",
+    "amazon.nl": "https://www.amazon.nl/ax/account/manage",
+    "amazon.pl": "https://www.amazon.pl/ax/account/manage",
+    "amazon.sa": "https://www.amazon.sa/ax/account/manage",
+    "amazon.se": "https://www.amazon.se/ax/account/manage",
+    "amazon.sg": "https://www.amazon.sg/ax/account/manage",
     "amctheatres.com": "https://www.amctheatres.com/amcstubs/account",
     "americanexpress.com": "https://www.americanexpress.com/en-us/account/password/reset",
     "ana.co.jp": "https://cam.ana.co.jp/psz/us/amc_us.jsp?index=105",
@@ -52,6 +75,7 @@
     "bestbuy.com": "https://www.bestbuy.com/identity/accountSettings/page/password",
     "biblegateway.com": "https://www.biblegateway.com/user/account/",
     "birkenstock.com": "https://www.birkenstock.com/profile",
+    "blackwells.co.uk": "https://blackwells.co.uk/bookshop/account/personal-details",
     "blend.io": "https://blend.io/settings",
     "blockchain.com": "https://login.blockchain.com/en/#/security-center/advanced",
     "bloomberg.com": "https://www.bloomberg.com/portal/account",
@@ -93,6 +117,8 @@
     "crackle.com": "https://www.crackle.com/profile",
     "craigslist.org": "https://accounts.craigslist.org/pass",
     "creditkarma.com": "https://www.creditkarma.com/myprofile/security",
+    "credly.com": "https://www.credly.com/earner/settings/privacy",
+    "crowdin.com": "https://accounts.crowdin.com/password/change",
     "crunchyroll.com": "https://www.crunchyroll.com/resetpw",
     "cvs.com": "https://www.cvs.com/my-account/profile/sign-in-and-security/edit-password",
     "dailymail.co.uk": "https://www.dailymail.co.uk/registration/profile/change-password.html",
@@ -112,12 +138,12 @@
     "doordash.com": "https://www.doordash.com/accounts/password/reset/",
     "dropbox.com": "https://www.dropbox.com/account/security",
     "dsw.com": "https://www.dsw.com/en/us/profile",
+    "duolingo.com": "https://duolingo.com/settings/profile",
     "dwr.com": "https://www.dwr.com/profile",
     "ea.com": "https://myaccount.ea.com/cp-ui/security/index",
     "ebay.com": "https://accounts.ebay.com/acctsec/security-center/chngpwd",
     "eporner.com": "https://www.eporner.com/profile/mturk_eporn/my/edit-pass/",
     "espn.com": "https://www.espn.com/",
-    "etsy.com": "https://www.etsy.com/your/account?ref=hdr_user_menu-settings",
     "eventbrite.com": "https://www.eventbrite.com/account-settings/password",
     "evite.com": "https://www.evite.com/reset_password/",
     "expedia.com": "https://www.expedia.com/user/forgotpassword",
@@ -202,9 +228,11 @@
     "mlb.com": "https://www.mlb.com/account/general",
     "msn.com": "https://account.live.com/password/change?refd=account.microsoft.com&fref=home.banner.changepwd",
     "music.youtube.com": "https://myaccount.google.com/signinoptions/password",
+    "my.goabode.com": "https://my.goabode.com/#/app/account",
     "myaccount.ea.com": "https://myaccount.ea.com/cp-ui/security/index",
     "myaccount.google.com": "https://myaccount.google.com/signinoptions/password",
     "myfreecams.com": "https://www.myfreecams.com/php/account.php?request=status&vcc=1674246522#change_password",
+    "mypay.dfas.mil": "https://mypay.dfas.mil/#/settings/password",
     "myshopify.com": "https://accounts.shopify.com/accounts/186490458/security",
     "naver.com": "https://nid.naver.com/user2/help/myInfo.nhn?m=viewChangePasswd",
     "nba.com": "https://www.nba.com/account/nbaprofile",
@@ -214,10 +242,12 @@
     "news.yahoo.com": "https://login.yahoo.com/myaccount/security/change-password/",
     "news.ycombinator.com": "https://news.ycombinator.com/changepw",
     "newsweek.com": "https://www.newsweek.com/contact",
+    "nextdns.io": "https://my.nextdns.io/account",
     "nfl.com": "https://id.nfl.com/account/change-password",
     "nhentai.net": "https://nhentai.net/reset/",
     "nike.com": "https://www.nike.com/member/settings",
     "nintendo.com": "https://accounts.nintendo.com/password/edit",
+    "njal.la": "https://njal.la/settings",
     "nordstrom.com": "https://www.nordstrom.com/my-account/sign-in-info",
     "nordstromrack.com": "https://www.nordstromrack.com/my-account/sign-in-info",
     "npr.org": "https://secure.npr.org/oauth2/login",
@@ -238,6 +268,7 @@
     "pearson.com": "https://www.pearson.com/store/en-us/my-account/update-password",
     "pilotflyingj.com": "https://portal.pilotflyingj.com/myrewards/forgot-password",
     "pinterest.com": "https://www.pinterest.com/settings/account-settings",
+    "pl.canalplus.com": "https://logowanie.pl.canalplus.com/zmien-haslo",
     "playstation.com": "https://id.sonyentertainmentnetwork.com/id/management/#/p/security",
     "plex.tv": "https://app.plex.tv/desktop#!/account",
     "politico.com": "https://www.politico.com/settings",
@@ -247,7 +278,7 @@
     "poshmark.com": "https://poshmark.com/user/account-info",
     "ppomppu.co.kr": "https://www.ppomppu.co.kr/myinfo/profile.php",
     "prolific.co": "https://app.prolific.co/account/general",
-    "protonmail.com": "https://mail.protonmail.com/account",
+    "proton.me": "https://account.proton.me/u/0/vpn/account-password",
     "prowlapp.com": "https://www.prowlapp.com/settings.php",
     "quizlet.com": "https://quizlet.com/settings",
     "quora.com": "https://www.quora.com/settings",
@@ -324,6 +355,7 @@
     "trulia.com": "https://www.trulia.com/account/user_profile",
     "tum.de": "https://campus.tum.de",
     "tumblr.com": "https://www.tumblr.com/settings/account",
+    "turkishairlines.com": "https://www.turkishairlines.com/tr-int/miles-and-smiles/forgot-password/",
     "twilio.com": "https://www.twilio.com/console/user/settings",
     "twitch.tv": "https://www.twitch.tv/settings/security",
     "twitter.com": "https://twitter.com/settings/password",